| View previous topic :: View next topic |
| Author |
Message |
dE_logics
Advocate
Joined: 02 Jan 2009
Posts: 2290
Location: $TERM
|
 Posted: Mon Feb 21, 2011 9:40 am Post subject: Help me rectify my ssl concepts. |
 |
|
When I make an ssl rsa private key, it has a password. Then I have to remove the password to get things working (with the servers).
Q. Why did openssl ask for a password?
When you make a key, you also have an option to specify a symmetric cypher algorithm. But the application using the ssl key is supposed to do that (select the cypher algorithm). So what happens when I specify this algorithm when generating the key?
----
Also, can I specify the key length of the symmetric encryption that the client (with the private certificate) users?
_________________
My blog
Last edited by dE_logics on Mon Feb 21, 2011 12:29 pm; edited 1 time in total |
|
| Back to top |
|
 |
malern
Apprentice
Joined: 19 Oct 2006
Posts: 170
|
| Posted: Mon Feb 21, 2011 10:47 am Post subject: Re: Help me rectify my ssl concepts. |
|
|
| dE_logics wrote: | When I make an ssl rsa private key, it has a password. Then I have to remove the password to get things working (with the servers).
Q. Why did openssh ask for a password? |
(I'm assuming you meant openssl not openssh) Most likely because you told it to encrypt the private key (you do this by specifying a cipher on the command line). Depending on what you want to do with the rsa key it is sometimes useful to have it encrypted, which is why it's an option. If you're just decrypting it straight away then there's no point encrypting it in the first place (i.e. you shouldn't be specifying a cipher to encrypt it with, and then it won't prompt for a password).
| dE_logics wrote: | | When you make a key, you also have an option to specify a symmetric cypher algorithm. But the application using the ssl key is supposed to do that (select the cypher algorithm). So what happens when I specify this algorithm when generating the key? |
The cipher is only used to encrypt the private key, it does not dictate which cipher the application will use. |
|
| Back to top |
|
|
lxg
Veteran
Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany
|
| Posted: Mon Feb 21, 2011 10:59 am Post subject: |
|
|
You don't have to remove the passphrase to get the key working. That's only what many SSL Howtos of certificate providers suggest, in order to minimize customer support efforts.
In a more security critical setup, it is a good idea to keep the key and have Apache etc. ask for it when restarting.
However, not all services support that. And, this can conflict with stuff like certain setups of logrotate, which try to restart Apache after rotating, and fail due to a missing passphrase to the private key.
Anyway, bottom line: the passphrase is there for a reason. 
_________________
lxg.de – codebits and tech talk |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Mon Feb 21, 2011 11:58 am Post subject: |
|
|
| Quote: | | However, not all services support that. And, this can conflict with stuff like certain setups of logrotate, which try to restart Apache after rotating, and fail due to a missing passphrase to the private key. |
You can set the following in the /etc/conf.d/apache2 to overcome the passpharse at reload problem 
RELOAD_TYPE="graceful" |
|
| Back to top |
|
|
dE_logics
Advocate
Joined: 02 Jan 2009
Posts: 2290
Location: $TERM
|
| Posted: Mon Feb 21, 2011 12:32 pm Post subject: |
|
|
Ok, thanks for clarifying all this.
Now the only question remaining is about the client.
_________________
My blog |
|
| Back to top |
|
|
AngelKnight
Tux's lil' helper
Joined: 14 Jan 2003
Posts: 127
|
| Posted: Wed Feb 23, 2011 8:27 am Post subject: Re: Help me rectify my ssl concepts. |
|
|
| dE_logics wrote: | | Also, can I specify the key length of the symmetric encryption that the client (with the private certificate) users? |
As far as I know, there are no standard X509 certificate attributes that influence SSL/TLS session setup involving a given X509 cert. Generally the software on which the certificate is installed provides separate controls to constrain the permissible session ciphers and modes for enciphered sessions.
Last edited by AngelKnight on Tue Mar 01, 2011 7:44 am; edited 1 time in total |
|
| Back to top |
|
|
dE_logics
Advocate
Joined: 02 Jan 2009
Posts: 2290
Location: $TERM
|
| Posted: Thu Feb 24, 2011 1:02 am Post subject: Re: Help me rectify my ssl concepts. |
|
|
| AngelKnight wrote: | | dE_logics wrote: | | Also, can I specify the key length of the symmetric encryption that the client (with the private certificate) users? |
As far as I know, there are no standard X509 certificate attributes that influence SSL/TLS session setup involving a given X509 cert. Generally the software on which the certificate is installed provides separate controls to constrain the permissible session ciphers and modes for enciphered sessions. |
I've yet to find any client in which I can specify the key length of the symmetric algorithm.
_________________
My blog |
|
| Back to top |
|
|
AngelKnight
Tux's lil' helper
Joined: 14 Jan 2003
Posts: 127
|
| Posted: Tue Mar 01, 2011 7:45 am Post subject: Re: Help me rectify my ssl concepts. |
|
|
| dE_logics wrote: | | I've yet to find any client in which I can specify the key length of the symmetric algorithm. |
will provide the instructions on how to specify specific cipher requirements for commands you might issue with the openssl suite, like s_client. |
|
| Back to top |
|
|
|
Networking & Security
